Attacks using malware that is uniquely developed or customized are frequently performed. Particularly, targeted attacks that steal information from a specific organization or individual by using a RAT (Remote Administration Tool), which is a remotely controlled malware, are increasing.
FIG. 1 illustrates an example of a targeted attack using a RAT. In the example in FIG. 1, an attacker that is connected to an external network such as the Internet transmits a packet A as an instruction to a terminal (this terminal is a springboard) that is connected to an internal network, which is a network of an organization. The springboard transmits a packet B that includes a RAT program or the like to another terminal that is connected to the internal network (this terminal is the target), and causes that program to be executed. The target establishes a new connection with the attacker, and transmits a packet C that includes information in the target to the attacker. Alternatively, the target is used as a new springboard for spreading the RAT.
The signature method is known as a technique for detecting malware. The signature method is a technique in which patterns of communication data are defined for each kind of malware, and malware is detected by comparing communication data that flows over a network with the patterns.
However, in the signature method, it is possible to detect only malware for which a pattern has already been created, and it is not possible to detect malware that has been uniquely developed or customized.
Moreover, there is a conventional technique for detecting communication that is related to a targeted attack. In this conventional technique, a targeted attack is detected by analyzing packets that are transferred between terminals that are connected to an internal network, and packets that are transferred between a terminal that is connected to an internal network and a terminal that is connected to an external network.
However, the conventional technique described above is based on a premise that apparatuses for capturing are located in positions so as to be capable of capturing packets that are transferred between terminals that are connected to an internal network. The number of required apparatuses for capturing increases according to the scale of the internal network. Moreover, a corresponding cost of implementing the apparatuses for capturing to a scale of an internal network has not been sufficiently studied.
Patent Document 1: Japanese Laid-open Patent Publication No. 2015-15581
Patent Document 2: Japanese Laid-open Patent Publication No. 2015-133547